The Infisical Gateway requires outbound network connectivity to establish secure communication with Infisical’s relay infrastructure. This page outlines the required ports, protocols, and firewall configurations needed for optimal gateway usage.

Network Architecture

The gateway uses a relay-based architecture to establish secure connections:

  1. Gateway connects outbound to Relay Servers using UDP/QUIC protocol
  2. Relay Servers facilitate secure communication between Gateway and Infisical Cloud
  3. All traffic is end-to-end encrypted using mutual TLS over QUIC

Required Network Connectivity

Outbound Connections (Required)

The gateway requires the following outbound connectivity:

ProtocolDestinationPortsPurpose
UDPRelay Servers49152-65535Allocated relay communication (TLS)
TCPapp.infisical.com / eu.infisical.com443API communication and relay allocation

Relay Server IP Addresses

Your firewall must allow outbound connectivity to the following Infisical relay servers on dynamically allocated ports.

54.235.197.91:49152-65535
18.215.196.229:49152-65535
3.222.120.233:49152-65535
34.196.115.157:49152-65535

These IP addresses are static and managed by Infisical. Any changes will be communicated with 60-day advance notice.

Protocol Details

QUIC over UDP

The gateway uses QUIC (Quick UDP Internet Connections) for primary communication:

  • Port 5349: STUN/TURN over TLS (secure relay communication)
  • Built-in features: Connection migration, multiplexing, reduced latency
  • Encryption: TLS 1.3 with certificate pinning

Understanding Firewall Behavior with UDP

Unlike TCP connections, UDP is a stateless protocol, and depending on your organization’s firewall configuration, you may need to adjust network rules accordingly. When the gateway sends UDP packets to a relay server, the return responses need to be allowed back through the firewall. Modern firewalls handle this through “connection tracking” (also called “stateful inspection”), but the behavior can vary depending on your firewall configuration.

Connection Tracking

Modern firewalls automatically track UDP connections and allow return responses. This is the preferred configuration as it:

  • Automatically handles return responses
  • Reduces firewall rule complexity
  • Avoids the need for manual IP whitelisting

In the event that your firewall does not support connection tracking, you will need to whitelist the relay IPs to explicitly define return traffic manually.

Common Network Scenarios

Corporate Firewalls

For corporate environments with strict egress filtering:

  1. Whitelist relay IP addresses (listed above)
  2. Allow UDP port 5349 outbound
  3. Configure connection tracking for UDP return traffic
  4. Allow ephemeral port range 49152-65535 for return traffic if connection tracking is disabled

Cloud Environments (AWS/GCP/Azure)

Configure security groups to allow:

  • Outbound UDP to relay IPs on port 5349
  • Outbound HTTPS to app.infisical.com/eu.infisical.com on port 443
  • Inbound UDP on ephemeral ports (if not using stateful rules)

Frequently Asked Questions